To effectively fight the coronavirus pandemic, Czech Republic, Slovakia and Poland are introducing various smartphone apps that promise to increase the safety of citizens and eventually loosen lockdown measures. But in practice, enforcing this kind of digital leash raises many privacy and data security concerns.
Story by: Konrad Szczygieł (Fundacja Reporterów); Daniel Antoni (Investigatívne centrum Jána Kuciaka); Eva Kubániová (investigace.cz) Feature graphics: Lenka Matoušková
A project that purports to be a “way to quickly manage the [coronavirus] epidemic and the spread of infection within the population”, according to Roman Prymula, the Czech Deputy Minister of Health, will be launched by the government after the Eastern holidays.
Known as “Smart Quarantine”, the project is the creation of 12 prominent Czech technology companies who came together under the name “Covid19cz” to offer technical help to the government. Testing of the app started in late March in southern Czech Republic, where the infection COVID-19 has only mildly spread.
Smart Quarantine is focused on mapping the movement of an infected person for the five day period prior to their receiving a positive test result using data drawn from mobile operators and credit card companies. Hygienists [Public Health Officers who deal with epidemics] will go through the so-called “memory map” with an infected person to help determine whether they came into contact with and infected another person.
“We know that human memory is limited and it’s quite complicated to remember where you were shopping and how many people were around,” Irena Zatloukalová, the spokeswoman for Cvoid19cz, says. “We know that risky contact [between two people] entails a distance of less than two meters [from one another] for more than 15 minutes. A typical example of this is waiting in a queue.”
An individual’s consent is required to request their data from “third parties” like mobile operators and banks, and if a patient refuses to give up his data, the hygienist will try to create a “memory map” by asking them questions instead.
People who came into contact with the infected person will be urged to enter into a short-term quarantine, and if they are unable to reach a testing point by car, a testing team will come to their homes. If their results are negative, they become a “green person” and can resume their normal lives. If their results are positive, meanwhile, they become a “red person” and are required to abide by a 14-day quarantine, and receive medical treatment if necessary, Prymula explained on an official YouTube channel for the project. He emphasized that it takes no more than three days to get tested. “This means that every person should be treated in this system within three days”, he said.
If the project proves successful in the testing region, Smart Quarantine could replace the wide-ranging restrictions that were introduced to curb the COVID-19 crisis. “I hope it will be official as soon as possible, because our focus is to minimize damage to people’s lives and the economy,” Zatloukalová said. “The measures in the Czech Republic are very strict and are causing damage to many people. From our point of view, the technological solution is ready, and we can start to implement it nationally immediately.”
The IT experts behind the project are helping the country on a voluntary, not-for-profit basis. “The whole system is being developed by volunteers and companies at Covid19cz. They are also putting their own resources into the project — not just licenses for free solution,” Zatloukalová added.
On their website, Covid19cz says it protects rights to privacy and democratic values, and Zatloukalová says they believe their system is fully compliant with GDPR privacy laws, with countries like Slovakia, Great Britain, Lithuania, and Serbia also reportedly being interested in adopting the Czech solution.
Though Smart Quarantine has faced backlash from some journalists, Zatloukalová hopes that when people understand the project’s aims, and how the information will be used to help epidemiologists, they will be much more willing to allow their data to be used to build memory maps. She adds that the data is deleted within 6 hours at most after being used. If we use [third party] data in any way, we do not download it, nor do we save it. The data will stay on the servers of mobile operators or the banks. We definitely do not want to develop a system of monitoring whether people are or are not abiding by quarantine requirements.”
Covid19cz is working on other projects in addition to the memory map, including a new feature on the app Mapy.cz, which allows its users to give their permission to share their location and receive a warning if they are in an area that puts them at risk for infection.They are also developing a Bluetooth Tracking app that would detect other users and whose cumulative data could, with the consent of individuals, be used to construct “memory maps.”
According to Covid19cz, 750 000 people have already voluntarily started to share their location [on Mapy.cz]. “The fear of hurting anyone else is much greater than the fear of sharing location data,” Zatloukalová said.
Who did your smartphone meet?
Similar tools are being developed in neighboring Slovakia. The newly elected government passed a law — the so-called “Lex Corona” — at the end of March to collect location data from mobile network operators — a controversial law the government says will only apply for the duration of the pandemic or until the end of this year.
The passed legislation is a tempered version to what was initially proposed, which would have made it possible to collect metadata, including text and calling information. Following sharp criticism on human rights grounds, the proposal was amended almost immediately.
The new technological measures address both those already infected and in quarantine, as well as those who might come into contact with the infected. The app monitors compliance with quarantine and also warns users when they come into proximity with an infected person.
According to the Slovak newspaper Dennik N, the application is being developed by the Slovak company Sygic, which will provide it to the government for free. It has yet to be decided whether the application will be mandatory or not.
Using Bluetooth, different phones will detect and register one another if they come within a certain distance. All devices will have their own unique code. Phones will log these codes, as well as how much time they were in proximity to one another, so that if a person has come into contact with an infected individual, the application will immediately notify them.
In addition to prevention, the application can also monitor whether the Slovaks tested positive for Covid-19 are following quarantine guidelines. Those infected are required to upload an address, phone number, and photograph of their face to the app, and healthcare professionals can send a control notification at any point during the mandated quarantine period that requires them to open the application, identify themselves with FaceID, and send their location data to a secure server.
Like in the Czech Republic, the state will also use data from telecommunications operators, which, with the consent of infected individuals, they create a memory map.
Though the Slovak government has said that it intends to defend the privacy of its citizens, this declaration has already been tested. The country’s National Health Information Center, which logs the number of sick and tested individuals, reportedly failed to sufficiently secure its data. As a result, at the end of March hackers were able to develop a map showing where each infected person lived, even eventually attaching specific names to the statistics.
On March 19, Poland was one of the first countries in Europe to introduce a smartphone app intended to relieve the police from their duties controlling people in quarantine. It became mandatory for all citizens in quarantine on April 1.
Flaws in the app — such as its providing of inaccurate location data and sending out erroneous notifications — soon began to emerge, however. The app, it turned out, was neither [developed] by the Ministry of Digital Affairs nor any other government entity, but was rather a modified version of a social market research software that cost the country PLN 2.5 million (EUR 552 000).
Like in Slovakia, the app combines FaceID with location data. At randomized times throughout the day, users on quarantine are asked to confirm that they are indeed still at home. The app also allows users to contact services and social workers who, upon request, can deliver vital groceries, meals, or provide psychological support.
TakeTask, the owner of the app, had spent only three days modifying it into a quarantine monitoring tool, however, and, in addition to the Police Headquarters, provinces, and the Central Information Technology Centre (COI), can also access user data.
When reached out for comment, TakeTask SA’s spokesperson Weronika Kostyra-Scanu said that the firm “can access user data because it performs technological and administrative work related to the app.”
Who is behind TakeTask?
TakeTask is an app owned by a company with the same name. TakeTask SA closed 2017 with a loss of PLN 235,000 (EUR 52 000) and failed to submit any data for 2018 to be included in the National Court Register. It sells it to entities that want to study how tasks are managed in large enterprises — in the past, it had also been used to study customer behaviour or monitor what store shelves look like.
The company is run by Sebastian Starzyński, a marketing and management graduate from SGH Warsaw School of Economics. He is also the chairman of the supervisory board of Sesta Market Research, which uses TakeTask. Starzyński presented his app at Congress 590 — an event that competes with the Economic Forum in Krynica and is funded by state-controlled companies and organised under the auspices of the president.
Sesta works mainly with commercial customers, and also offers solutions for state institutions and local governments. It carried out an opinion poll that was published by a local Warsaw portal during the local government campaign in 2018. It showed (contrary to previous polls) that Patryk Jaki would beat Rafał Trzaskowski. (A similar poll was published by Ariadna). According to “Gazeta.pl”, Starzyński had once been a shareholder in a company owned by Piotr Guział, a controversial former mayor of Ursynów and an SLD activist, who supported Patryk Jaki when he was running for the mayor of Warsaw.
When we asked about the origins of cooperation between TakeTask and the Ministry of Digital Affairs, the company referred us to the ministry.
The Ministry of Digital Affairs, on the other hand, has only said that the single-source order “results from Article 6 of the act from March 2, 2020, on special solutions that help prevent, combat and eradicate COVID-19, other contagious diseases and crisis situations caused by them.”
When asked by VSquare about the app’s security risks, TakeTask president Sebastian Starzyński emphasized that the app was only implemented in “two or three days. It offers a high level of security. The Internal Security Agency (ABW) ran some penetration tests and got the green light.”
On Wednesday, March 25, he asked VSquare journalists not to reveal the company’s name so as not to make it easier for cybercriminals to break into the company’s IT servers. “When dealing with a system that holds a lot of personal data, we need time. We have gained a lot of time,” said Starzyński on Monday, March 30.
We asked if it wouldn’t be safer to ensure the technology was secure before releasing it.
“The level of security we have built-in is very high,” he responded. “But various people, companies and services have tools that we might not be aware of. As a result, we are now adding new levels of protection. We are acting on the following principle: your flood banks may withstand most floods, but if they are hit by once-in-a-century waters, they may give way. Let’s not make it rain.”
Is two or three days enough time to successfully test an app’s security? According to experts, effective penetration tests should take much longer. Tomasz Zieliński, a professional programmer who has worked for several public institutions, said that an analysis of the source code stirred even more controversy. On his blog, he has made note of several concerning features in the programming, including code that would allow users to log in with a Facebook account, which he said would provide the social media giant with information about the number of people who launch it.
“The [tech] community is upset by such practices. But it’s probably the result of the hasty implementation,” Zieliński said. “In principle, we would not like the Polish government to disclose data to a private American corporation.”
On his blog, Zieliński provides other examples of flaws in the app. “Why does it need to have a library for image recognition? Why can you find a clown, a gorilla, a little devil and Leclerc vouchers in graphic libraries?” he mused.
He also raised questions about the price the Ministry paid for it. “The only thing that can justify such an amount is that the contract also includes servicing the app by the company,” he explained in an interview with VSquare. The market price for developing a similar app would typically amount to several hundred thousand zlotys, he said, whereas it seems that in addition to the PLN 2.5 million (EUR 552 000) initially paid by the government, TakeTask is also receiving PLN 200,000 (EUR 44 000) for “additional work.”
After the Ministry of Digital Affairs responded to his questions about the software on March 30, Zieliński updated some of the information on his blog about the source code, noting that the developers had removed the controversial Facebook library, and that the app had already been updated several times since its release.
ABW has not replied to VSquare’s questions about the kinds of penetration tests it carried out or whether ABW checked TakeTask for possible attempts to connect with external programmes and apps such as Facebook. Starzyński, on the other hand, has said that the app does not connect to any external software.
On April 3, the Ministry of Digital Affairs announced the development of another app: ProteGO, and invited independent programmers and graphic designers to collaborate on the project. The app, like the one being rolled out in Slovakia, will use Bluetooth technology to exchange data points between phones and alert users about potential exposure to coronavirus.
The Ministry claims that it won’t serve as a tracking device and that the data will only be stored on smartphones for two weeks. There is so far no information as to whether the app will be mandatory.
This text was financially supported by GACC (The Global Anti-Corruption Consortium) aimed at the Visegrad countries. Member centers Átlátszo and Direkt36 from Hungary, Fundacja Reporterów from Poland, Ján Kuciak Investigative Center from Slovakia and investigace.cz from the Czech Republic are working on the project.